b"             OFFICE OF INSPECTOR GENERAL\n\n\n                    FISCAL YEAR 2013 EVALUATION OF\n\n                        NEA\xe2\x80\x99S COMPLIANCE WITH THE\n\n                   FEDERAL INFORMATION SECURITY\n\n                            MANAGEMENT ACT OF 2002\n\n                                     REPORT NO. R-14-01\n\n\n                                          February 4, 2014\n\n\n\n\n                                    REPORT RELEASE RESTRICTION\n\nIn accordance with Public Law 110-409, The Inspector General Act of 2008, this report shall be posted on the National\nEndowment for the Arts (NEA) website not later than three (3) days after it is made publicly available with the\napproval of the NEA Office of Inspector General. Information contained in this report may be confidential. The\nrestrictions of 18 USC 1905 should be considered before this information is released to the public. Furthermore,\ninformation contained in this report should not be used for purposes other than those intended without prior\nconsultation with the NEA Office of Inspector General regarding its applicability.\n\x0c                               INTRODUCTION\n\nThe Federal Information Security Management Act of 2002 requires an annual evaluation\nby the Inspector General on its agency\xe2\x80\x99s information security programs and practices.\nThis report presents the results of our evaluation of NEA\xe2\x80\x99s information security program\nand practices for protecting its information technology (IT) infrastructure.\n\n\n                                 BACKGROUND\nThe Federal Information Security Management Act (FISMA) of 2002 was signed into law\non December 17, 2002. It replaced the Government Information Security Reform Act\n(GISRA), which expired in November 2002. The Act requires each federal agency to\ndevelop, document, and implement an agency-wide information security program to\nprovide information security over the operations and assets of the agency.\n\nOffice of Management and Budget (OMB) Memorandum M-14-04, dated November 18,\n2013, entitled Fiscal Year 2013 Reporting Instructions for the Federal Information\nSecurity Management Act and Agency Privacy Management, updates instructions to\nSenior Agency Officials for Privacy, Chief Information Officers and Inspectors General\nfor reporting their 2013 information to OMB.\n\nThe National Institute of Standards and Technology (NIST), which has the responsibility\nfor developing technical standards and related guidance, has issued numerous\npublications including NIST Publication 800-12 An Introduction to Computer Security:\nThe NIST Handbook. This publication explains important concepts, cost considerations,\nand interrelationships of security controls as well as the benefits of such controls. NIST\nalso has published a Guide for Developing Security Plans for Information Technology\nSystems, Special Publication 800-37 and a Contingency Planning Guide for Federal\nInformation Systems, Special Publication 800-34.\n\nNEA\xe2\x80\x99s Office of Information and Technology Management (ITM) maintains and\noperates two of the Agency\xe2\x80\x99s three core systems on a local area network (LAN). These\nare the Grants Management System (GMS), which contains information on grant\napplications and the Automated Panel Bank System (APBS), which contains information\non panelists who review grant applications. ITM also operates support systems for\ninternet and intranet services.\n\nNEA has contracted with the Department of Transportation (DOT) Enterprise Service\nCenter to host its Financial Management System (FMS) through DOT\xe2\x80\x99s Delphi Financial\nManagement System and the U.S. Department of Agriculture (USDA) National Finance\nCenter for payroll services. NEA has also contracted with other providers for email,\ngrant application process and its personal identity verification program (PIV).\nThe Chief Information Officer (CIO) is responsible for developing policies and\nprocedures to ensure that security is provided over all NEA\xe2\x80\x99s networks.\n\n                                            2\n\x0c                          OBJECTIVE AND SCOPE\nThe objective of the evaluation was to determine the adequacy of NEA\xe2\x80\x99s information\ntechnology (IT) security program and practices. This included a review of NEA\xe2\x80\x99s IT\nsecurity policies and procedures and privacy management program. It also included\ninterviews with responsible agency officials managing the IT systems, and tests on the\neffectiveness of security controls.\n\n\n         PRIOR EVALUATION AND OTHER REPORTS\nAccording to the Office of Management and Budget (OMB) Memorandum 14-04,\nFiscal Year 2013 Reporting Instructions for the Federal Information Security Management Act\nand Agency Privacy Management, Cybersecurity has been identified as one of 14 Cross Agency\nPriority (CAP) Goals for FY 2013 and FY 2014. (See http://goals.performance.gov/goals_2013.)\nTo accomplish these goals the Administration is prioritizing: (1) measuring agency\nimplementation of Trusted Internet Connections; (2) focusing on strong authentication through\nthe use of multifactor authentication in accordance with Homeland Security Presidential\nDirective-12 (HSPD-12); and (3) performing monitoring of security controls in federal\ninformation systems and environments in which those systems operate on a continuous basis.\n\nNEA OIG has issued prior reports which address weaknesses found in its information\nsystems security program, including its continuous monitoring, HSPD-12, patch\nmanagement and perimeter security programs. Below are the details of the reports which\nhave open recommendations as of September 30, 2013.\n\nFiscal Year 2011 Evaluation of NEA\xe2\x80\x99s Compliance with the Federal Information Security\nAct of 2002 (Report No. R-12-01) dated November 15, 2011. The report had eleven\nrecommendations. NEA has implemented corrective actions for nine of the eleven\nrecommendations. The following recommendations remain open:\n\nRecommendation No. 8 Develop and implement written policies and procedures to\nensure that it establishes an Information System Contingency Plan in compliance with\nNIST SP 800-34.\n\nRecommendation No. 10 Establish and maintain a security capital planning and\ninvestment control process program for information security.\n\nFiscal Year 2012 Evaluation of NEA's Compliance with the Federal Information Security\nAct of 2002 (Report. R-12-01), dated December 17, 2012. The report had four\nrecommendations. NEA has implemented corrective actions for one recommendation.\nThe following recommendations remain open.\n\nRecommendation No. 1 Develop an implementation policy to require the use of PIV\nsmartcard credentials for logical access to its networks as directed by HSPD-12.\n\n                                             3\n\x0cRecommendation No. 2 Implement the use of the PIV smartcard credentials for access\nto its network and information systems.\n\nRecommendation No. 3 Implement an automatic encryption method which includes all\ndata on all mobile computers/devices that carry agency information to ensure PII and\nsensitive information are not compromised.\n\nAlthough corrective actions have not been completed for the above recommendations,\nNEA has made progress on implementing corrective actions.\n\nTECHNICAL ASSISTANCE\n\nAs part of our FY 2013 evaluation process, we obtained technical assistance from the\nUnited States International Trade Commission Office of Inspector General (US/ITC\nOIG). An US/ITC OIG staff member with technical expertise was assigned to conduct a\nhigh-level, independent review of NEA\xe2\x80\x99s computer information security program.\nSpecifically, the staff member performed penetration and patch testing. Two reports were\nissued: Evaluation of NEA's Patching Program, Report No. R-13-02 and Evaluations of\nNEA's Perimeter Security, Report No. R-13-03, dated February 15, 2013. There were a\ntotal of thirteen recommendations, all of which remained open at the end of the reporting\nperiod. Evaluation of proposed corrective actions are in progress.\n\nNEA offices are scheduled for relocation in February-March 2014. The relocation will\ndivert ITM resources through the completion of the move, therefore, the implementation\nof corrective actions and the evaluation of those corrective actions will be impacted.\n\n                         EVALUATION RESULTS\nIn November 2012, the Department of Homeland Security (DHS) issued a checklist for\nuse by Offices of Inspectors General to assess the level of performance achieved by\nagencies in specific program areas during the FY 2013 FISMA evaluation period. The\nspecific program areas to be assessed were:\n\n   1. Continuous Monitoring\n   2. Configuration Management\n   3. Identity and Access Management\n   4. Incident Response and Reporting\n   5. Risk Management\n   6. Security Training\n   7. Plan of Action & Milestones (POA&M)\n   8. Remote Access Management\n   9. Contingency Planning\n   10. Contractor Systems\n\n\n\n\n                                            4\n\x0cThe FY 2013 FISMA evaluation concluded that ITM has established a security program\nfor protecting its IT infrastructure and is generally compliant with FISMA legislation.\nWe determined that most of the specific program areas met the level of performance as\nindicated in DHS\xe2\x80\x99s FY 2013 FISMA checklist. We did not identify any material\nweaknesses in the program areas, however, we did identify improvement opportunities in\nthe following programs:\n\n    1. Plan of Action and Milestones (POA&Ms) Program\n    2. Contingency Planning Program\n    3. Risk Management Program - Inventory Controls\n\nDetails of our evaluation are presented in the following narrative.\n\nPLAN OF ACTION AND MILESTONES PROGRAM\nOMB\xe2\x80\x99s FY 2013 instructions direct Inspectors General to review the status of the agency\xe2\x80\x99s\nPlan of Action and Milestones (POA&Ms) program. The program should be consistent with\nFISMA requirements, OMB policy and applicable NIST guidelines and include written\npolicies for managing security weaknesses. OMB Memorandum M-02-01, Guidance for\nPreparing and Submitting Security Plans of Action and Milestones, describes a POA&M\nas a corrective action plan, a tool that identifies tasks that need to be accomplished. It details\nresources required to accomplish the elements of the plan, any milestones in meeting the task\nand scheduled completion dates for the milestones. The purpose is to assist agencies in\nidentifying, assessing, prioritizing and monitoring the progress of corrective efforts for\nsecurity weaknesses found in programs and systems. The program should also include reports\nto the CIO, on a regular basis, at least quarterly, on the progress of remediation.\n\nDuring our FY 2011 FISMA evaluation, we recommended areas of improvement for the\nPOA&Ms program. We recommended that ITM develop and implement written policies and\nprocedures for its POA&Ms program consistent with FISMA requirements, OMB policy and\napplicable NIST guidelines. We also recommended that the policy include procedures for\nregular reporting on the progress of remediation to the CIO, at least quarterly. ITM\ndeveloped the policy; however, it has not been consistently implemented. As a repeated\nfinding (FY 2008-2011 FISMA Evaluations), we believe NEA POA&Ms program lacks\nadequate tracking and monitoring of information security weaknesses. Reports were not\nissued quarterly, as required and were not updated as to the status of prior weaknesses\nidentified. As a result, there was no effective audit trail to determine whether weaknesses\npreviously identified were resolved.\n\nWe recommend that NEA implements its POA&Ms program in accordance with its internal\npolicy and NIST SP 800-37. The POA&Ms reports should include the status of prior\nsecurity weaknesses identified to provide an audit trail of progress.\n\n\n\n\n                                                5\n\x0cCONTINGENCY PLANNING PROGRAM\n\nOur review concluded that although NEA has generally established an enterprise-wide\nbusiness continuity/disaster recovery program, its program is not consistent with FISMA\nrequirements, OMB policy, and applicable NIST guidelines.\n\nOMB's FY 2013 instructions direct Inspectors General to determine whether the organization\nhas incorporated the results of its system's Business Impact Analysis (BIA) into the analysis\nand strategy development efforts for the organization's Continuity of Operations Plan\n(COOP), Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP). NEA has the\nrequired COOP, however, NEA has not developed an Information System Contingency Plan,\nas recommended in the FY 2011 evaluation. We also found that NEA's Disaster Recovery\nPlan included obsolete information.\n\nWe recommend that NEA revise its Disaster Recovery Plan to ensure that the information is\naccurate and complete, in accordance with NIST SP 800-34.\n\nRISK MANAGEMENT PROGRAM -Inventory Controls\nNEA provided us with an inventory of its computer system equipment that was updated\nas of June 2013. Our review found that although the listing included required\ninformation on equipment and software, it did not include excess equipment. According\nto NEA's inventory policy, excess equipment information should be maintained for three\nyears.\n\nWe recommend that ITM fully implements its policies and procedures for inventory to\nensure that its inventory information is accurate and complete.\n\n                              EXIT CONFERENCE\nWe provided a draft copy of this report to ITM officials on January 8, 2014. The\nofficials generally concurred with our findings and recommendations and agreed to\ninitiate corrective actions.\n                            RECOMMENDATIONS\nWe recommend NEA implement corrective actions for all open recommendations from\nprior OIG reports. We also recommend NEA:\n\n1.     Implement its POA&M program in accordance with its internal policy and NIST SP 800-\n       37. The POA&M reports should include the status of prior security weaknesses\n       identified to establish an audit trail of progress.\n\n2.     Revise its Disaster Recovery Plan to ensure that the information is accurate and\n       complete, in accordance with NIST SP 800-34.\n\n\n                                              6\n\x0c3.   Fully implement its policies and procedures for inventory control to ensure that\n     its inventory information is accurate and complete.\n\n\n\n\n                                          7\n\x0c"